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Abstract — Cyber-physical systems integrate computation, com- 
munication, and physical capabilities to interact with the physical 
world and humans. Besides failures of components, cyber- 
physical systems are prone to malicious attacks so that specific 
analysis tools and monitoring mechanisms need to be developed 
to enforce system security and reliability. This paper builds upon 
the results presented in our companion paper 1 1| and proposes 
centralized and distributed monitors for attack detection and 
identification. First, we design optimal centralized attack detec- 
tion and identification monitors. Optimality refers to the ability of 
detecting (respectively identifying) every detectable (respectively 
identifiable) attack. Second, we design an optimal distributed 
attack detection filter based upon a waveform relaxation tech- 
nique. Third, we show that the attack identification problem is 
computationally hard, and we design a sub-optimal distributed 
attack identification procedure with performance guarantees. 
Finally, we illustrate the robustness of our monitors to system 
noise and unmodeled dynamics through a simulation study. 

I. Introduction 

Cyber-physical systems need to remain functional and op- 
erate reliably in presence of unforeseen failures and, possibly, 
external attacks. Besides failures and attacks on the physical 
infrastructure, cyber-physical systems are also prone to cyber 
attacks against their data management, control, and communi- 
cation layer Q, @, 0, 0. 

In several cyber-physical systems, including water and gas 
distribution networks, electric power systems, and dynamic 
Leontief econometric models, the physical dynamics include 
both differential equations as well as algebraic constraints. In 
[T) we model cyber-physical systems under attack by means 
of linear continuous-time differential-algebraic systems; we 
analyze the fundamental limitations of attack detection and 
identification, and we characterize the vulnerabilities of these 
systems by graph-theoretic methods. In this paper we design 
monitors for attack detection and identification for the cyber- 
physical model presented in 0J. 

Related work. Concerns about security of control, commu- 
nication, and computation systems are not recent as testified 
by the numerous works in the fields of fault-tolerance control 
and information security. However, as discussed in (TJ, cyber- 
physical systems feature vulnerabilities beyond fault-tolerance 
control and information security methods. 
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Attack detection and identification monitors have recently 
been proposed. In (6), El monitoring procedures are designed 
for the specific case of state attacks against discrete-time non- 
singular systems. In |8| an algorithm to detect output attacks 
against discrete-time nonsingular systems is described and 
characterized. In J9j a detection scheme for replay attacks is 
proposed. Fault detection and identification schemes for linear 
differential-algebraic power network models are presented in 
OH, ifTTI and in the conference version of this paper [12|. 
We remark that the designs in iflOl , IfTTI consider particular 
known faults rather than unknown and carefully orchestrated 
cyber-physical attacks. Finally, protection schemes for output 
attacks against systems described by purely static models are 
presented, among others, in |[T3l , 1(131 . 

Contributions. The main contributions of this work are as 
follows. First, for the differential-algebraic model of cyber- 
physical systems under attacks developed in (T), we design 
centralized monitors for attack detection and identification. 
With respect to the existing solutions, in this paper we propose 
attack detection and identification filters that are effective 
against both state and output attacks against linear continuous - 
time differential-algebraic cyber-physical systems. Our moni- 
tors are designed by using tools from geometric control theory; 
they extend the construction of lfl5l to descriptor systems with 
direct feedthrough matrix, and they are guaranteed to achieve 
optimal performance, in the sense that they detect (respectively 
identify) every detectable (respectively identifiable) attack. 

Second, we develop a fully distributed attack detection 
filter with optimal (centralized) performance. Specifically, we 
provide a distributed implementation of our centralized attack 
detection filter based upon iterative local computations by 
using the Gauss-Jacobi waveform relaxation technique. For 
the implementation of this method, we rely upon cooperation 
among geographically deployed control centers, each one 
responsible for a part of the system. In particular, we require 
each control center to have access to the measurements of its 
local subsystem, synchronous communication among neigh- 
boring control centers at discrete time instants, and ability to 
perform numerical integration. 

Third, we show that the attack identification problem is 
inherently computationally hard. Consequently, we design a 
distributed identification method that achieves identification, 
at a low computational cost and for a class of attacks, which 
can be characterized accurately. Our distributed identification 
methods is based upon a divide and conquer procedure, in 
which first corrupted regions and then corrupted components 
are identified by means of local identification procedures and 
cooperation among neighboring regions. Due to cooperation, 
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our distributed procedure provably improves upon the fully 
decoupled approach advocated in decentralized control lfl6l . 

Fourth, we present several illustrative examples. Besides 
illustrating our findings concerning centralized and distributed 
detection and identification, our numerical investigations show 
that our methods are effective also in the presence of system 
noise, nonlinearities, and modeling uncertainties. 

Finally, as a minor contribution, we build upon the estima- 
tion method in ifTTl to characterize the largest subspace of the 
state space of a descriptor system that can be reconstructed in 
the presence of unknown inputs. 

Paper organization. Section |TT] contains a mathematical de- 
scription of the problems under investigation. In Section|lTl|we 
design monitors for attack detection. Specifically, we propose 
optimal centralized, decentralized, and distributed monitors. 



In Section IV we show that the attack identification problem 
is computationally hard. Additionally, we design an optimal 
centralized and a sub-optimal decentralized attack identifi- 
cation monitor. Finally, Section [V] and Section [VlJ contain, 
respectively, our numerical studies, and our conclusion. 

II. Problem setup and preliminary concepts 

In this section we recall the framework proposed in JJJ for 
cyber-physical systems and attacks. We model a cyber-physical 
system under attack with the time-invariant descriptor system 



Ex{t) = Ax{t) 
y(t) = Cx(t) 



Bu(t), 
Du(t), 



(1) 



where x{t) G E™, y{t) G MP, E G E" xn , A G R nxn , 
B G R nxm , C G R pxn , and D G R pxm . Here the matrix E 
is possibly singular, and the input terms Bu(t) and Du(t) are 
unknown signals describing disturbances affecting the plant. 
Besides reflecting the genuine failure of systems components, 
these disturbances model the effect of an attack against the 
cyber-physical system. For notational convenience and without 
affecting generality, we assume that each state and output 
variable can be independently compromised by an attacker. 
Thus, we let B = [l, 0] and D = [0, /] be partitioned into 
identity and zero matrices of appropriate dimensions, and, 
accordingly, u(t) — [u x (t) T , u y (t) T ] . Hence, the unknown 
input (Bu(t), Du(t)) = (u x (t),u y (t)) can be classified as 
state attack affecting the system dynamics and as output attack 
corrupting directly the measurements vector. 

The attack signal t H> u(t) G R n+P depends upon the 
specific attack strategy. In the presence of k G No, k < n +p, 
attackers indexed by the attack set K C {1, . . . , n + p} only 
and all the entries K of u(t) are nonzero over time. To under- 
line this sparsity relation, we sometimes use ukU) G W k ' to 
denote the attack mode, that is the subvector of u(t) indexed 
by K. Accordingly, we use the pair (Bk, Dk), where Bk and 
Dk are the submatrices of B and D with columns in K, to 
denote the attack signature. Hence, Bu(t) — Bkuk^), and 
Du(t) = DxUK(t). We make the following assumptions on 
system ([TJ, a discussion of which can be found in |Q~): 

(Al) the pair (E, A) is regular, that is, det(sS — A) does not 

vanish identically, 
(A2) the initial condition a;(0) G R n is consistent, that is, 

(Ax(0) + Bu(0)) _L Ker(E T ) = 0; and 



(A3) the input signal u(t) is smooth. 

The following definitions are inspired by our results in |JJ. 
Let y(xo,u,t) be the output sequence generated from the 
initial state xq under the attack signal u(t). 

Definition 1: (Undetectable attack set) For the linear de- 
scriptor system flj, the attack set K is undetectable if there 
exist initial conditions x%, x-i G R n , and an attack mode ux{t) 
such that, for all t G K>o, it holds y(x\,UK,t) = y(x2,0,t). 

Definition 2: (Unidentifiable attack set) For the linear de- 
scriptor system ([TJ, the attack set K is unidentifiable if there 
exists an attack set R, with \R\ < \K\ and R ^ K, initial 
conditions xpc, xr G M n , and attack modes ux(t), u^(t) such 
that, for all t G R>o, it holds y(xK, uk, t) — y(xn, ur, t). 

In our companion paper UJ we characterize undetectable 
and unidentifiable attacks. In this paper, instead, we design 
monitors to achieve attack detection and identification. 

III. Monitor design for attack detection 

A. Centralized attack detection monitor design 

In the following we present a centralized attack detection 
filter based on a modified Luenberger observer. 

Theorem 3.1: (Centralized attack detection filter) Consider 
the descriptor system ([TJ and assume that the attack set K is 
detectable, and that the network initial state x(0) is known. 
Consider the centralized attack detection filter 



Ew{t) = (A + GC)w{t) 
r(t) = Cw{t) - y(t), 



Gy(t), 



(2) 



nnxp 



IS 



where w(0) = x(0) and the output injection G G 
such that the pair (E, A + GC) is regular and Hurwitz. Then 
r{t) = at all times t G R>o if and only if uic{t) = at all 
times t G R>q. Moreover, in the absence of attacks, the filter 
error w(t) — x(t) is exponentially stable. 

Proof: Consider the error e(t) — w(t) — x(t) between the 
dynamic states of the filter (|2j and the descriptor system ([TJ. 
The error dynamics with output r(t) are given by 



Ee(t) = {A + GC)e{t) - (B K + GD K )u K (t), 
r{t) = Ce{t)-D K u K {t), 



(3) 



where e(0) = 0. To prove the theorem we show that the error 
system ([3j has no invariant zeros, that is, r(i) = for all 
t G M>o if and only if ux{t) = for all t G M>o- Since the 
initial condition x(0) and the input uxit) are assumed to be 
consistent (A2) and non-impulsive (A3), the error system ([3]) 
has no invariant zeros if and only if ifTSl Proposition 3.4] there 
exists no triple (s,w,gK) £ C x R" x l p satisfying 



sE-(A + GC) B K + GD K 
C -D K 





w 




'0 













= D 


K9K 


. 1 



(4) 



substituting Cw by D^gx m the first equation of |4j, the set 
of equations (HJ can be equivalently written as 



sE - A B K 
C -D K 





w 




"0" 




9K_ 








(5) 



Finally, note that a solution (s, —w,gK) to above set of equa- 
tions would yield an invariant zero, zero state, and zero input 
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for the descriptor system ([JJ. By the detectability assumption^ 
the descriptor model ([JJ has no zero dynamics and the matrix 
pencil in (|5]l necessarily has full rank. It follows that the triple 
(E, A, C) is observable, so that G can be chosen to make the 
pair (E,A + GC) Hurwitz OH Theorem 4.1.1], and the error 
system <j3j> is stable and with no zero dynamics. ■ 

Remark 1: (Detection and identification filters for un- 
known initial condition and noisy dynamics) If the network 
initial state is not available, then, since (E, A + GC) is 
Hurwitz, an arbitrary initial state w(0) E R n can be chosen. 
Consequently, the filter converges asymptotically, and some 
attacks may remain undetected or unidentified. For instance, 
if the eigenvalues of the detection filter matrix have real part 
smaller than c < 0, with c E E, then, in the absence of attacks, 
the residual r(t) exponentially converges to zero with rate less 
than c. Hence, only inputs u(t) that vanish faster or equal than 
e~ ct may remain undetected by the filter |2]). Alternatively, 
the detection filter can be modified so as to converge in a 
predefined finite time, see [20|, [21]. In this case, every attack 
signal is detectable after a finite transient. 

If the dynamics and the measurements of ([JJ are affected by 
modeling uncertainties and noise with known statistics, then 
the output injection matrix G in |2| should be chosen as to 
optimize the sensitivity of the residual r(t) to attacks versus 
the effect of noise. Standard robust filtering or model match- 
ing techniques can be adopted for this task 11221 . Statistical 
hypothesis techniques can subsequently be used to analyze the 
residual r(t) ||231 . Finally, as discussed in [1], attacks aligned 
with the noise statistics turn out to be undetectable. □ 

Observe that the design of the filter |2]i is independent of 
the particular attack signature (Bk,E>k) and its performance 
is optimal in the sense that any detectable attack set K can 
be detected. We remark that for index-one descriptor systems 
such as power system models, the filter (|2]i can analogously 
be designed for the corresponding Kron-reduced model, as 
defined in [lj. In this case, the resulting attack detection 
filter is low-dimensional and non-singular but also non-sparse, 
see |12|. In comparison, the presented filter Q, although 
inherently centralized, features the sparse matrices (E, A, C). 
This sparsity will be key to develop a distributed attack 
detection filter. 



B. Decentralized attack detection monitor design 

Let G t = iV,£) be the directed graph associated with 
the pair (E,A), where the vertex set V — {1, ...,n} cor- 
responds to the system state, and the set of directed edges 



£ 



{ [Xj , Xi 



7^ or dij 7^ 0} is induced by the 



sparsity pattern of E and A; see also (F Section IV]. Assume 
that V has been partitioned into N disjoint subsets as V = 
ViU- ■ -UVn, with \V{\ = n it and let G\ = (Vi,£i) be the i-th 
subgraph of G r with vertices Vi and edges £i — £<~) (Vt x Vt). 
According to this partition, and possibly after relabeling the 

'Due to linearity of the descriptor system {TJ, the detectability assumption 
reads as "the attack (B, D, u(t)) is detectable if there exist no initial condition 
£•() 6 K n , such that y(x ,u, t) = for all t e K> ." 



states, the system matrix A in ([JJ can be written as 

" Aj • • • A 1N ~ 



A = 



A N i 



A 



N 



= Ad + Ac, 



where A; g 



', An E 



', Arj is block-diagonal, 



and A C = A-A D . Notice that, if A D = blkdiag(Ai, . . . ,A N ), 
then Ad represents the isolated subsystems and Ac describes 
the interconnection structure among the subsystems. Addition- 
ally, if the original system is sparse, then several blocks in Ac 
vanish. We make the following assumptions: 
(A4) the matrices E, C are block-diagonal, that is E = 

blkdiag(-Ei,...,Ejv), C = blkdiag(Ci, . . . , C N ), 

where E t e M«* x ™* and C, G RP* xn *, 
(A5) each pair (Ei, Ai) is regular, and each triple (Ei,Ai, Ci) 

is observable. 

Given the above structure and in the absence of attacks, the 
descriptor system ([TJ can be written as the interconnection of 
N subsystems of the form 

Ei±i(t) = AiXi(t) + AijXj(t), 

ieJV> (6) 
Vi(t) = C i x i (t), ie{l,...,N}, 

where Xi(t) and yi(t) are the state and output of the i-th 
subsystem and = {j £ {l,...,N}\i : \\A l3 \\ ^ 0} 
are the in-neighbors of subsystem i. We also define the set of 
out-neighbors as A/™ = {j G {1, . . . , N} \ i : \\Aj4 ^ 0}. 
We assume the presence of a control center in each subnetwork 
G{ with the following capabilities: 

(A6) the i-th control center knows the matrices E^, Ai, Ci, 
as well as the neighboring matrices Ay, j € N™; and 

(A7) the i-th control center can transmit an estimate of its 
state to the j-th control center if j E J\f° ul . 
Before deriving a fully-distributed attack detection filter, we 

explore the question of decentralized stabilization of the error 

dynamics of the filter For each subsystem consider 

the local residual generator 

EiWi{t) = (A, + G l C i )w l {t) + AijXj{t) - G lVl (t), 

r i {t) = y i (t)-C i w i (t), ie{l,...,N}, (7) 

where Wi(t) is the i-th estimate of Xi(t) and Gi E W HXpi . 
In order to derive a compact formulation, let w(t) = 
[wJ(t)---w T N (t)] T , r(t) = [rJ(t)---r T N (t)] T , and G = 
blkdiag(Gi, . . . , Gn)- Then, the overall filter dynamics |7| are 

Ew(t) = (A D + GC)w(t) + A c w(t) - Gy(t) , 
r(i) - y(t) - Cw(t) . 



(8) 



Due to the observability assumption (A5) an output injection 
matrix Gi can be chosen such that each pair (Ei, Ai — GiCi) 
is Hurwitz |[T9l Theorem 4.1.1]. Notice that, if each pair 
(Ei, A l + G l C i ) is regular and Hurwitz, then (E, A D + GC) is 
also regular and Hurwitz since the matrices E and Ad + GC 
are block-diagonal. We are now ready to state a condition for 
the decentralized stabilization of the filter ([8j. 

Lemma 3.2: (Decentralized stabilization of the attack de- 
tection filter) Consider the descriptor system ([TJ, and assume 
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that the attack set K is detectable and that the network initial 
state x(0) is known. Consider the attack detection filter (fij), 
where w(0) — x(0) and G — blkdiag(Gi, . . . , Gn) is such 
that (E, Ad + GC) is regular and Hurwitz. Assume that 



p ({jwE -A D - GC)- 1 A C ) < 1 for all u € 



(9) 



where p(-) denotes the spectral radius operator. Then r(t) = 
at all times t £ M>o if and only if ujf(t) = at all times 
t £ M>o- Moreover, in the absence of attacks, the filter error 
w(t) — x(t) is exponentially stable. 

Proof: The error e(t) — w(t) — x(t) obeys the dynamics 

Ee(t) = {A D + A c + GC)e(t) - (B K + GD K )u K (t), 
r(t) = Ce(t) - D K u K {t) . (10) 



A reasoning analogous to that in the proof of Theorem 3.1 
shows the absence of zero dynamics. Hence, for r(t) = Oat all 
times t £ E>o if and only if Uk{£) = at all times t £ M>o- 
To show stability of the error dynamics in the absence of 
attacks, we employ the small-gain approach to large-scale 
interconnected systems [24 1 and rewrite the error dynamics 
(JTOj as the closed-loop interconnection of the two subsystems 



r x : Ee(t) = (A D + GC)e(t) 
T 2 : v(t)=A c e(t). 



v(t), 



Since both subsystems Ti and T-2 are causal and internally 
Hurwitz stable, the overall error dynamics (jTOf are stable if the 
loop transfer function Ti(juj) ■ T 2 satisfies the spectral radius 
condition piTi(juj) -T^) < 1 for all u; £ R [22, Theorem 
4.11]. The latter condition is equivalent to Q. ■ 
Observe that, although control centers can compute the 
output injection matrix independently of each other, an im- 
plementation of the decentralized attack detection filter ([8]) 
requires control centers to continuously exchange their local 
estimation vectors. Thus, this scheme has high communication 
cost, and it may not be broadly applicable. A solution to this 
problem is presented in the next section. 

C. Distributed attack detection monitor design 

In this subsection we exploit the classical waveform relax- 
ation method to develop a fully distributed variation of the 
decentralized attack detection filter ([8]). We refer the reader 
to E51 . Il26l for a comprehensive discussion of waveform 
relaxation methods. The Gauss-Jacobi waveform relaxation 
method applied to the system ([8]) yields the waveform relax- 
ation iteration 



Ew {k) {t) = A D w [k \t) + Acw^-^it) - Gy(t) . 



(11) 



where k £ N denotes the iteration index, t £ [0, T] is the 
integration interval for some uniform time horizon T > 0, and 
w( k > : [0, T] —> E™ is a trajectory with the initial condition 
w^ k '(0) — wo for each k £N. Notice that ( fTT| i is a descriptor 
system in the variable and the vector Acw^ 1 * 1 is a 

known input, since the value of w(t) at iteration A; — lis used. 
The iteration ( fTTj i is said to be (uniformly) convergent if 



lim max 

fc-i-oo t£[0,T] 1 



W^{t) -w(t)\ 



where w(t) is the solution of the non-iterative dynamics d8j. In 
order to obtain a low-complexity distributed detection scheme, 
we use the waveform relaxation iteration ( fTT) to iteratively 
approximate the decentralized filter (|8). 

We start by presenting a convergence condition for the 
iteration ([8]). Recall that a function / : M> — > M. p is said to 
be of exponential order f3 if there exists /3 £ K such that the 
exponentially scaled function / : M> -> R p , f(t) = /(t)e"' 3 * 
and all its derivatives exist and are bounded. An elegant 
analysis of the waveform relaxation iteration ( fTT) can be 
carried out in the Laplace domain l27ll . where the operator 
mapping w^- r >(t) to w^(t) is (sE - A D - GC]- 1 A C . 
Similar to the regular Gauss-Jacobi iteration, convergence 
conditions of the waveform relaxation iteration ( fTT| rely on 
the contractivity of the iteration operator. 

Lemma 3.3: (Convergence of the waveform relaxation R27l 
Theorem 5.2]) Consider the waveform relaxation iteration 
( fTTj ). Let the pair (E, A D + GC) be regular, and the initial 
condition wo be consistent. Let y(t), with t £ [0, T], be of 
exponential order j3. Let a be the least upper bound on the real 
part of the spectrum of (E,A), and define a — max{a,/3}. 
The waveform relaxation method ( fTT) is convergent if 

p(((a + jw)E-A D - GC^Ac) < 1 for all uj £R. (12) 

In the reasonable case of bounded (integrable) measure- 
ments y(t), t £ [0, T], and stable filter dynamics, we have 
that a < 0, and the convergence condition ( fT2] i for the 
waveform relaxation iteration ( fTT) equals the condition |9]) 
for decentralized stabilization of the filer dynamics. We now 
propose our distributed attack detection filter. 

Theorem 3.4: (Distributed attack detection filter) Consider 
the descriptor system ([TJ and assume that the attack set K is 
detectable, and that the network initial state x(0) is known. 
Let assumptions (Al) through (A7) be satisfied and consider 
the distributed attack detection filter 

Ew (k) {t) = (A D + GC)w {k) {t) + Acw {k - 1] {t) - Gy(t) , 
r(t)=y(t)-Cw( k \t), (13) 

where k £ N, t £ [0,T] for some T > 0, w^(0) = x(0) for 
all k £ N, and G = blkdiag(Gi, . . . , Gn) is such that the pair 
(E, An + GC) is regular, Hurwitz, and 



p ({juE -A D - GO)' 1 Ac) < 1 for all w £ 



(14) 



Then lim^oo r (fc) (t) = at all times t £ [0, T] if and only 
if uj((t) = at all times t £ [0, T]. Moreover, in the absence 
of attacks, the asymptotic filter error lim; c _ i . 00 ('u/ fe ) (i) — x(t)) 
is exponentially stable for t £ [0, T 



3.3 



0. 



Proof: Since -u/ fc )(0) = x(0), it follows from Lemma 
that the solution w^ k ' (t) of the iteration ( fT3| ) converges, as k 
oo, to the solution w(t) of the non-iterative filter dynamics ([8]) 
if condition {Y2\ is satisfied with a = (due to integrability of 
y(t), t £ [0, T], and since the pair (E, A D + GC) is Hurwitz). 
The latter condition is equivalent to condition (jT4j. 

Under condition ( [T4| > and due to the Hurwitz assumption, 
it follows from Lemma [3~2] that the error e(t) = w(t) — x(t) 
between the state w(t) of the decentralized filter dynamics ^ 
and the state x(t) of the descriptor model ([TJ is asymptotically 
stable in the absence of attacks. Due to the detectability as- 
sumption and by reasoning analogous to the proof of Theorem 
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3.1 it follows that the error dynamics e(t) have no invariant 
zeros. This concludes the proof of Theorem |3.4| ■ 
Remark 2: (Distributed attack detection) The waveform 
relaxation iteration ( fTT| can be implemented in the following 
distributed fashion. Assume that each control center i is able 
to numerically integrate the descriptor system 



£>f ) (t)=(A + G,C,K (t) (i) 



E 



Aijwf l) (t)-G iyt (t), 



(15) 



over a time interval t £ [0, T], with initial condition u;j fc '(0) = 
Wio, measurements yi(t), and the neighboring filter states 



Wj k (t) as external inputs. Let u^(f) be an initial guess of 
the signal Wj(t). Each control center i g {1, . . . , iV} performs 
the following operations assuming k = at start: 

(1) set fc := k + 1, and compute the signal u;| fc '(f) by 
integrating the local filter equation ( fT5j ), 

(2) transmit w (t) to the j-th control center if j 6 A/"° ut 

(3) update the input with the signal received from the 
j-th control center, with j e Af™, and iterate. 

If the waveform relaxation is convergent, then, for k suffi- 



ciently large, the residuals r^{t) — Ui(t) — Ciw\ K '(t) can 
be used to detect attacks; see Theorem |3.4| In summary, 
our distributed attack detection scheme requires integration 
capabilities at each control center, knowledge of the measure- 
ments yi(t), t £ [0, T], as well as synchronous discrete-time 
communication between neighboring control centers. □ 
Remark 3: (Distributed filter design) As discussed in Re- 
mark [2j the filter ( [13] ) can be implemented in a distributed 
fashion. In fact, it is also possible to design the filter ( |13) , 
that is, the output injections Gj, in an entirely distributed way. 
Since p(A) < \\A\\ p for any matrix A and any induced p-norm, 
condition ( fT4} can be relaxed by the small gain criterion to 

X A ( " 



(fc)/ 



UjuiE - A D - GC)- 



ic 1 1 < 1 for all uj € 

Hp 



(16) 



With p = oo, in order to satisfy condition ( p~6] >, it is sufficient 
for each control center i to verify the following quasi-block 
diagonal dominance condition 12811 for each w£l: 



G.C,)- 1 ^" A 



< 1. 



(17) 



Note that condition fiTJ) can be checked with local informa- 
tion, and it is a conservative relaxation of condition ( |14) . □ 

D. Illustrative example of decentralized detection 

The IEEE 118 bus system shown in Fig. [T] represents a 
portion of the Midwestern American Electric Power System 
as of December 1962. This test case system is composed of 
118 buses and 54 generators, and its parameters can be found, 
for example, in ||29l . Following [1, Section II. C], a linear 
continuous-time descriptor model of the network dynamics 
under attack assumes the form ([TJ. 

For estimation and attack detection purposes, we partition 
the IEEE 118 bus system into 5 disjoint areas, we assign a 
control center to each area, and we implement our detection 
procedure via the filter ( fT3j i; see Fig. [T] for a graphical 
illustration. Suppose that each control center continuously 



Area 1 j j Area 3 _2^y|l jl^SLifU^-h® 




Fig. 1. Partition of IEEE 118 bus system into 5 areas. Each area is monitored 
and operated by a control center. The control centers cooperate to estimate 
the state and to assess the functionality of the whole network. 
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Fig. 2. In this figure we show the resid ual functions computed through 
the distributed attack detection filter {13} . The attacker compromises the 
measurements of all the generators in area 1 from time 30 with a signal 
uniformly distributed in the interval [0, 0.5]. The attack is correctly detected, 
because the residual functions do not decay to zero. For the simulation, we 
run k = 100 iterations of the attack detection method. 



measures the angle of the generators in its area, and suppose 
that an attacker compromises the measurements of all the 
generators of the first area. In particular, starting at time 30s, 
the attacker adds a signal ux(t) to all measurements in area 
1. It can be verified that the attack set K is detectable, see (TJ. 
According to assumption (A3), the attack signal ux(t) needs 
to be continuous to guarantee a continuous state trajectory 
(since the power network is a descriptor system of index 1). 
In order to show the robustness of our detection filter (JT3J, we 
let Uic(t) be randomly distributed in the interval [0, 0.5] rad. 

The control centers implement the distributed attack de- 
tection procedure described in ( fl3] l, with G = AC T . It can 
be verified that the pair (E,Ad + GC) is Hurwitz stable, 
and that p (juE - A D - GC)- 1 A c ) < 1 for all u € R. 
As predicted by Theorem |3.4| our distributed attack detection 
filter is convergent; see Fig. [2] For completeness, in Fig. [3] we 
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Fig. 4. A regular consensus system (A, B,C), where the state variable 3 
Fig_ 3. The plot represents the error of our waveform relaxation based filter is corrup ted by the attacker, and the state variables 2, 4, and 7 are directly 
{13} with respect to the corresponding decentralized filter (5). Here the error mea sured. Due to the sparsity pattern of (A, B, C) any attack of cardinality 
is max tg[0 T ]||«;( >(t) - w^t)^, that is, the worst-case difference of the one i s gen ericaUy detectable and identifiable, see [Q, (7) for further details, 
outputs of the two filters. As predicted by Theorem|3.4| the error is convergent. 



illustrate the convergence of our waveform relaxation-based 
filter as a function of the number of iterations k. Notice that 
the number of iterations directly reflects the communication 
complexity of our detection scheme. 

IV. Monitor design for attack identification 

A. Complexity of the attack identification problem 

In this section we study the problem of attack identification, 
that is, the problem of identifying from measurements the 
state and output variables corrupted by the attacker. We start 
our discussion by showing that this problem is generally NP- 
hard. For a vector x £ E™, let supp(x) = {i € {1, . . . , n} : 
Xi 7^ 0}, let \\x\\i — |supp(a;)| denote the number of non- 
zero entries, and for a vector-valued signal v : M>o — > R n , 
let ||v||£ = | U t(£ R >0 supp(v(i))|. We consider the following 
cardinality minimization problem: given a descriptor system 
with dynamic matrices E,A £ M. nXn , measurement matrix 
C e R px ", and measurement signal y : R> W, find 
the minimum cardinality input signals v x : R>o — > K." and 
v y : ]R>o — > M p and an arbitrary initial condition £o g M. n 
that explain the data y(t), that is, 



min ||«x|Uo + IKHaj 

"x, Vy, t,0 

subject to E£(i) = A£(t) + v x (t), 
y(t) = Ct(t) + v y (t), 
m = Co e K" . 



(18) 



Lemma 4.1: (Problem equivalence) Consider the system 
(TJ with identifiable attack set K. The optimization problem 
( 18} coincides with the problem of identifying the attack set K 
given the system matrices E, A, C, and the measurements y(t), 
where K — supp([uj w T ]). 

Proof: Due to the identifiability of K, the attack identification 
problem consists of finding the smallest attack set capable of 
injecting an attack {Bkuk , DkUk) that generates the given 
measurements y for the given dynamics E, A, C, and some 
initial condition; see Definition [2] The statement follows since 
B = [1,0] and D = [0,1] in Q, so that (B K u K ,D K u K ) = 

(v x ,v y ). m 



As it turns out, the optimization problem (TT8J, or equiva- 
lently our identification problem, is generally NP-hard |30|. 



Corollary 4.2: (Complexity of the attack identification 
problem) Consider the system ([TJ with identifiable attack set 
K. The attack identification problem given the system matrices 
E, A, C, and the measurements y{t) is NP-hard. 

Proof: Consider the NP-hard ||3D sparse recovery problem 
mm |eR« \\V — Ct\\t , where C £R pxn and y £ R p are given 
and constant. In order to prove the claimed statement, we show 
that every instance of the sparse recovery problem can be cast 
as an instance of ( fT8j ). Let E = I, A = 0, C = C, and 
y(t) = y at all times. Notice that v y (t) — y — C£,(t) and 
£(t) = £(0) + J Q v x (r)dT. The problem ( fl8] l can be written as 



mm || v a 



\c + \\y-C£(t)\U 



= min \\v x (t)\\ Co + \\y- C£ - C f* v x (r)dr\\ Co , 

fx(t),e 

(19) 

where £ = £(0). Notice that there exists a minimizer to 
problem ( |T9] > with v x (t) = for all t. Indeed, since \\y— C£ — 
CJo M T )dT\\ Co = \ U tm > supp{y-Cti-C J*v x (T)dT)\ > 
|supp(y - Ci - CJ° v x {r)dr)\ = \\y - C||k, problem ^ 
can be equivalently written as min^ \\y — C^||^ . ■ 



By Corollary 4.2 the general attack identification problem 
is combinatorial in nature, and its general solution will re- 
quire substantial computational effort. In the next sections we 
propose an optimal algorithm with high computational com- 
plexity, and a sub-optimal algorithm with low computational 
complexity. We conclude this section with an example. 

Example 1: (Attack identification via l\ regularization) A 
classical procedure to handle cardinality minimization prob- 
lems of the form min„ e Rn \\y — Av\\^ Q is to use the l\ 
regularization min^ e R« \y — Av\i x OTI . This procedure can 
be adapted to the optimization problem ( fT8| > after converting it 
into an algebraic optimization problem, for instance by taking 
subsequent derivatives of the output y(t), or by discretizing 
the continuous-time system ([JJ) and recording several mea- 
surements. As shown in JS), for discrete-time systems the 
l\ regularization performs reasonably well in the presence of 
output attacks. However, in the presence of state attacks such 
an i\ relaxation performs generally poorly. In what follows, 
we develop an intuition when and why this approach fails. 

Consider a consensus system with underlying network graph 
(sparsity pattern of A) illustrated in Fig. [4] The dynamics 
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Fig. 5. Plot of the attack mode u(t) for the attack set K = {2, 4, 7} to 
generate the same output as the attack set K = {3} with attack mode u(t) = 
1. Although \K\ > \K\, we have that \v,i(t)\ < |u(t)|/3 for i e {1,2,3}. 



are described by the nonsingular matrix E = I and the state 
matrix A depending on the small parameter < e -C 1 as 



A = 



The measurement matrix C and the attack signature Bk are 

C = 
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and we let G(s) = C(sl - A)~ 1 B K . It can be verified that 
the state attack K = {3} is detectable and identifiable. 

Consider also the state attack K — {2, 4, 7} with signature 



D 



K 



01000000 
00010000 
00000010 



and let G(s) = C(sl - Ay x B R . We now adopt the short- 
hands u(t) = UK{t) and u(t) — un(t), and denote their 
Laplace transforms by U(s) and U(s), respectively. Notice 
that G(s) is right-invertible OH. Thus, Y(s) = G(s)U(s) = 
G(s) (G _1 (s)G(s)f7(s)). In other words, the measurements 
Y(s) generated by the attack signal U(s) can equivalently be 
generated by the signal U(s) = G~ 1 (s)G(s)U(s). Obviously, 
we have that ||u|j£ = 3 > ||u||£ = 1, that is, the attack set K 
achieves a lower cost than K in the optimization problem ([IS). 

Consider now the numerical realization e — 0.0001, x(0) = 
0, and u(t) — 1 for all t £ R>o- The corresponding attack 
mode u(t) is shown in Fig. [5] Since |uj(t)| < 1/3 for 
i E {1,2,3} and t € M> , it follows that > ||u(t)||^ 

point-wise in time and \\u(t)\\ Cq/ep > \\u(t)\\ Cp /e q , where 

p, q >land\\u(t)\\ Cq/(p = (f °°(Er=i \u i {T)\ryl*>dT) 1/q is 
the £ g /^ p -norm. Hence, the attack set K achieves a lower cost 
than K for any algebraic version of the optimization problem 
( fT8| > penalizing a £ p cost point-wise in time or a C q /£ p cost 
over a time interval. Since ||u||£ > ||it||£ , we conclude that, 
in general, the identification problem cannot be solved by a 
point-wise l v or C q /l p regularization for any p,q > 1. 

Notice that, for any choice of network parameters, a value 
of e can be found such that a point-wise l v or a C q /£ p 
regularization procedure fails at identifying the attack set. 



Moreover, large-scale stable systems often exhibit this behav- 
ior independently of the system parameters. This can be easily 
seen in discrete-time systems, where a state attack with attack 
set K affects the output via the matrix CA t ~ 1 Bk, where r 
is the relative degree of (A, Bk,C). Hence, if A is Schur 
stable and thus lim^oo A k = 0, then CA r ~ 1 Bx converges 
to the zero matrix for increasing relative degree. In this case, 
an attack closer to the sensors may achieve a lower C q /l p cost 
than an attack far from sensors independently of the cardinality 
of the attack set. In short, the e-connections in Fig. [4] can be 
thought of as the effect of a large relative degree in a stable 
system. □ 



B. Centralized attack identification monitor design 

As previously shown, unlike the detection case, the identifi- 
cation of the attack set K requires a combinatorial procedure, 
since, a priori, K is one of the (?j£f) possible attack sets. The 
following centralized attack identification procedure consists 
of designing a residual filter to determine whether a predefined 
set coincides with the attack set. The design of this residual fil- 
ter consists of three steps - an input output transformation (see 
Lemma |4.31l, a state transformation to a suitable conditioned- 



invariant subspace (see Lemma 4.4 1, and an output injection 
and definition of a proper residual (see Theorem 4.5 I. 

As a first design step, we show that the identification prob- 
lem can be carried out for a modified system without corrupted 
measurements, that is, without the feedthrough matrix D. 

Lemma 4.3: (Attack identification with safe measure- 
ments) Consider the descriptor system ([TJ with attack set K. 
The attack set K is identifiable for the descriptor system ([TJ) if 
and only if it is identifiable for the following descriptor system: 



Ex(t) = (A- B K rf K C)x{t) + B K (I- rf K D K )u K {t) 
y{t) - (I - D K DUCx(t). 



(20) 



Proof: Due to the identifiability hypothesis, there exists 
no attack set R with \R\ < \K\ and R ^ K, s € C, g K £ 
Rl^l, g R G and \ {0} such that 
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(21) 



where we added an additional (redundant) output equation (TJ 
Theorem 3.4]. A multiplication of equation pTj ) from the left 
by the projectors blkdiag(/, DkD k , (/ — DkD k )) yields 
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The variable g R can be eliminated in the first redundant 
(corrupted) output equation according to 

9K = -D K Cx - D K D R g R + D k D k )9k- 

Thus, P(s)[x T g K 3r] T = has no solution, where P(s) is 



sE- 


A + BkD^C 


-B K (I - D^Dk) 
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+ B K D\ ( D R 
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D k D 1 k )D r 



The statement follows. 
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The second design step of our attack identification monitor 
relies on the concept of conditioned invariant subspace. We 
refer to fl8l . 11321 . ||33 1 for a comprehensive discussion of 
conditioned invariant subspaces. Let S* be the conditioned 
invariant subspace associated with the system (E, A, B, C, D), 
that is, the smallest subspace of the state space satisfying 



S* = [A B] 



E-i-S* 



n Ker [C D] ) , (22) 



and let L be an output injection matrix satisfying 



[A + LC B + LD] 



c S* 



(23) 



We transform the descriptor system ( |20| i into a set of canonical 
coordinates representing S* and its orthogonal complement. 
For a nonsingular system (E = I) such an equivalent state 
representation can be achieved by a nonsingular transformation 
of the form Q^ 1 (sl — A)Q. However, for a singular system 
different transformations need to be applied in the domain and 
codomain such as P T (sE — A)Q for nonsingular P and Q. 

Lemma 4.4: (Input decoupled system representation) 
For the system ( |20] i, let S* and L be as in 
( p2| > and ( f23) , respectively. Define the unitary 
matrices P = [Basis(S*) Basis((5*)- L )] and 
Q = [Basis(£;- 1 5*) Basis((£;- 1 5*)- L )] . Then 



P T EQ — 



En E12 
E22 



,P T {A- BkD^C + LC)Q = 



An A12 
A22 



P J B K (I-D J, K D K ) = 



B K {t) 




l (I-D K D] c )C)Q=[C 1 C 2 ] 



The attack set K is identifiable for the descriptor system ([JJ) 
if and only if it is identifiable for the descriptor system 



En E12 




Xl(t) 




An A12 




Xl(t) 




B K {t) 


-f?22_ 




ia(«)_ 




. A 22 _ 




x 2 (t)_ 


+ 






y(t) = [Ci c 2 ] 



xi (i)' 

x 2 (t) 



(24) 



Proof: Let C = E^S* and M = S*. Notice that (A + 
LC)E~ l S* C S* by the invariance property of S* E2, lfl8l . 
It follows that C and A4 are a pair of n'g/zf deflating subspaces 
for the matrix pair (A + LC, £?) El, that is, M = AC + EC 
and dim(AI) < dim(£). The sparsity pattern in the descriptor 
and dynamic matrices E and A of ( |24| i arises by construction 
of the right deflating subspaces P and Q ll34l Eq. (2.17)], 
and the sparsity pattern in the input matrix arises due to the 
invariance properties of S* containing Iui(Bk)- The statement 
follows because the output injection L, the coordinate change 
x H> Q~ x x, and the left-multiplication of the dynamics by P T 
does not affect the existence of zero dynamics. ■ 

We call system ( |24| i the conditioned system associated with 
([TJ. For the ease of notation and without affecting generality, 
the third and final design step of our attack identification filter 
is presented for the conditioned system |24|. 

Theorem 4.5: (Attack identification filter for attack set 
K) Consider the conditioned system p4| associated with the 
descriptor system ([TJ. Assume that the attack set is identifiable, 
the network initial state x(0) is known, and the assumptions 



(Al) through (A3) are satisfied. Consider the attack identifi- 
cation filter for the attack signature (Bk,Dk) 

E 2 2W2(t) = (A22 + G(I - CiC\)C 2 )w2{t) - Gy{t), 

r K (t) = (J - CiC\)C2w 2 (t) - y{t), with (25) 
y(t) = (I-CiCl)C2y(t), 

where 11)2(0) = £2(0), and G is such that (E22, A22 + G(I — 
CiC\)C 2 ) is Hurwitz. Then r K (t) = for all times t G R> a 
if and only if K coincides with the attack set. 

Proof: Let w(t) — [wi(t) T W2(t) T ] T , where Wi(t) obeys 

EuWiit) + Ei 2 w 2 (t) = inwi(i) + Ai2W 2 {t). 

Consider the filter error e(t) = w(t) — x(t), and notice that 
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U K (t), 



r K (t) = (I-CiCl)C2e 2 (t), 



where A 22 = A 22 + G(I - CiC])^). Notice that r K (t) is 
not affected by the input uic(t), so that, since e2(0) = due 
to ^2(0) = ^2(0), the residual Tk if) is identically zero when 
K is the attack set. In order to prove the theorem we are left 
to show that for every set R, with \R\ < \K\ and Rn K = 0, 
every attack mode unif) results in a nonzero residual r,R-(i). 
From [1, Theorem 3.4] and the identifiability hypothesis, for 
any R ^ K, there exists no solution to 
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A projection of the equation = G\Xi + C2X2 + Drqr onto 
the image of Ci and its orthogonal complement yields 
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[0 0] T . 



(26) 



Due to the identifiability hypothesis the set of equations d26 



features no solution [x[ xj g K g R y with [xj xj] = 

Observe that, for every X2 and gn, there exists xi € 
Ker(C'i)- L such that the third equation of |26} is satisfied. Fur- 
thermore, for every X2 and g^, there exist xi € Ker(Ci) and 
gK such that the first equation of |26| is satisfied. Indeed, since 
QE^S* = [Im(7) 0] T and P T S* = [lm(I) 0] T , the invari- 
ance of 5* implies that S* = A(E~ 1 S* nKer(C)) +Im(B K ), 
or equivalently in new coordinates, Im(7) = AnKcr(Ci) + 
lm(B K ). Finally note that [(sEn - An) Ker(C'i) B K ] is of 
full row rank due to the controllability of the subspace S* 
|[T8ll . We conclude that there exist no vectors x 2 and g R such 
that {sE 22 - A 22 )x 2 - B R2 g R = and (I - CiCl)(C 2 x 2 + 
Dr9r) = an d me statement follows. ■ 
Our identification procedure is summarized in Algorithm 
[TJ Observe that the proposed attack identification filter ex- 
tends classical results concerning the design of unknown- 
input fault detection filters. In particular, our filter generalizes 
the construction of lfT5l to descriptor systems with direct 
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Algorithm 1: Identification Monitor for (Bk,Dk) 



Input 
Require 



Matrices E, A, B K , and D K , 
Identifiability of attack set K; 



1 From system JTJ define the system (20) ; 

2 Compute 5* and L for system (20) as in (22) and (23) ; 

3 Apply L, P, and Q as in Lemma |4~4| leading to system (24) ; 

4 For (24), define tk and apply the output injection G as in (25). 



feedthrough matrix. Additionally, we guarantee the absence 
of invariant zeros in the residual dynamics. By doing so, our 
attack identification filter is sensitive to every attack mode. 
Notice that classical fault detection filters, for instance those 
presented in JT3J, are guaranteed to detect and isolate signals 
that do not excite exclusively zero dynamics. Finally, an attack 
identification filter for the case of state space or index-one 
systems is presented in our previous work [12]. 

Remark 4: (Complexity of centralized identification) Our 
centralized identification procedure assumes the knowledge of 
the cardinality k of the attack set, and it achieves identification 
of the attack set by constructing a residual generator for 
P oss ible attack sets. Thus, for each finite value of 
k, our procedure constructs 0(n k ) filters. If only an upper 
bound k on the cardinality of the attack set is available, 
identification can be achieved by constructing filters, 
and by intersecting the attack sets generating zero residuals. □ 

Remark 5: (Attack identification filter in the presence 
of noise) Let the dynamics and the measurements of the 
system Q be affected, respectively, by the additive white noise 
signals r)(t), with E[r/(t)rj T (t)} = R n S(t - t), and ((t), with 

E [CWC T ( r )] = Rc§(t ~ T )- Let the state and output noise 
be independent of each other. Then, simple calculations show 
that the dynamics and the output of the attack identification 
filter (|2"5|> are affected, respectively, by the noise signals 



fj(t) = P T 7 1 {t) + P T (L(I - D K rf K ) - B K ri K )C,(t), 
C(*) = -(/-[(/- DkD^CQi] Ul - D K rf K )CQ 1 



(I - D K rt K ))C(t), 



where Qi = Basis(£' 1 S*). Define the covariance matrix 



R.t=E 



f)(t) 

M 



[v T (t) C T (t)] 



Notice that the off-diagonal elements of R. £ are in general 
nonzero, that is, the state and output noises of the attack 
identification filter are not independent of each other. As in 
the detection case, by using the covariance matrix R~ *, the 
output injection matrix G in ( p5j ) can be designed to optimize 
the robustness of the residual rx{i) against noise. A related 
example is in Section |V| □ 
We conclude this section by observing that a distributed 
implementation of our attack identification scheme is not 
practical. Indeed, even if the filters parameters may be obtained 
via distributed computation, still (™J P ) filters would need 
to be implemented to identify an attack of cardinality k. 
Such a distributed implementation results in an enormous 



communication effort and does not reduce the fundamental 
combinatorial complexity. 

C. Fully decoupled attack identification 

In the following sections we develop a distributed attack 
identification procedure. Consider the decentralized setup pre- 
sented in Section III-B with assumptions (A4)-(A7). The 



subsystem assigned to the i-th control center is 

EiXi(t) = AiXi(t) + A l]Xj {t) + B Kz u Ki (t), 

jeK (27) 
W(t) = CiXi(t) + D Kt u Kt (t), ie{l,...,N}, 

where K{ — [K fl Vi) U Kf with K being the attack set and 
Kf being the set of corrupted measurements in the region G\. 

As a first distributed identification method we consider the 
fully decoupled case (no cooperation among control centers). 
In the spirit of 1 16 1, the neighboring states xj (t) affecting Xi(t) 
are treated as unknown inputs (fi(t)) to the i-th subsystem: 



E lXl {t) = AiXi(t) + E%fi(t) + B Kt u Kz {t), 

yi {t) = CiXi(t) + D Kt u Kt (t), ie{l,...,N}, 



(28) 



where B\ = [An ■ ■ ■ A^ l+1 ■ ■ ■ A iN }. We refer to ( |2"8j ) 

as to the i-th decoupled system, and we let K\ C V i be the 
set of boundary nodes of ( |28] i, that is, the nodes j <= Vi with 
Ajk 7^ for some fc G {1, . . . , n} \ Vi. 

If the attack identification procedure in Section |IV-B| is de- 
signed for the i-th decoupled system |28) subject to unknown 
inputs fi(t) and then a total of only Yli=i ("ik^*) < 

("if) nee d to be designed. Although the combinatorial com- 
plexity of the identification problem is tremendously reduced, 
this decoupled identification procedure has several limitations. 
The following fundamental limitations follow from 1 1 1 : 

(LI) if (Ei, Ai, B^ i , Ci, Dxi) has invariant zeros, then Ki is 
not detectable by the i-th control center; 

(L2) if there is an attack set R i7 with \R\\ < \Ki\, such that 
(Ei, Ai, [BKi Bft^Ci, \B>Ki DRi}) has invariant zeros, 
then Ki is not identifiable by the i-th control center; 

(L3) if Ki % K\ and (E t ,A u \B\ B Ki ],Ci,D Ki ) has no 
invariant zeros, then Ki is detectable by the i-th control 
center; and 

(L4) if Ki % K\ and there is no attack set Ri, with \R t \ < 
\Ki\, such that [Ei,Ai, [B\ B Ki B Ri ],d, [D Kz D^}) 
has invariant zeros, then Ki is identifiable by the i-th 
control center. 

Whereas limitations (LI) and (L2) also apply to any central- 
ized attack detection and identification monitor, limitations 
(L3) and (L4) arise by naively treating the neighboring signals 
as unknown inputs. Since, in general, the i-th control center 
cannot distinguish between an unknown input from a safe 
subsystem, an unknown input from a corrupted subsystem, 
and a boundary attack with the same input direction, we can 
further state that 

(L5) any (boundary) attack set Ki C K\ is not detectable 
and not identifiable by the i-th control center, and 

(L6) any (external) attack set K\ Ki is not detectable and 
not identifiable by the i-th control center. 
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We remark that, following our graph-theoretic analysis in |fl] 
Section IV], the attack Ki is generically identifiable by the i-th 
control center if the number of attacks on the i-th subsys- 
tem is sufficiently small, the internal connectivity of the i-th 
subsystem (size of linking between unknown inputs/attacks 
and outputs) is sufficiently high, and the number of unknown 
signals \K^\ from neighboring subsystems is sufficiently small. 
These criteria can ultimately be used to select an attack- 
resilient partitioning of a cyber-physical system. 

D. Cooperative attack identification 

In this section we improve upon the naive fully decoupled 
method presented in Subsection |1V-C| and propose an identi- 
fication method based upon a divide and conquer procedure 
with cooperation. This method consists of the following steps. 
(SI: estimation and communication) Each control center 
estimates the state of its own region by means of an unknown- 
input observer for the i-th subsystem subject to the unknown 
input B\fi{t), For this task we build upon existing unknown- 
input estimation algorithms (see the Appendix for a construc- 
tive procedure). Assume that the state Xi(t) is reconstructed 
modulo some subspace Let Fj = Basis (J-^), and let 
Xi{t) = Xi{t) + Xi(t), where Xi(t) is the estimate computed 
by the i-th control center, and Xi(t) g Ti. Assume that each 
control center i transmits the estimate ii (t) and the uncertainty 
subspace Fj to every neighboring control center. 
(S2: residual generation) Observe that each input sig- 
nal AijXjit) can be written as AijXj(t) = AijXj(t) + 
AijXj(t), where ij(t) E Fj. Then, after carrying out 
step (SI), only the inputs AijXj(t) are unknown to the 
i-th control center, while the inputs AijXj(t) are known 
to the i-th center due to communication. Let B\Fi = 
[AuFi ■■■ A^i-xFi-x A i:i+ iF i+1 ■■■ A iN F N ], and rewrite 
the signal B\x(t) as B^x(t) — B\Fifi(t), for some unknown 
signal fi(t). Then the dynamics of the i-th subsystem read as 

EiXi{t) = A iXi (t) + B\x{t) + B^Fifiit) + B Ki u Ki (t). 

Analogously to the filter presented in Theorem |4.5| for the at- 
tack signature (Bk , Dk), consider now the following filter (in 
appropriate coordinates) for ( |28] > for the signature (B^Fi,0) 

EiWiit) = (A t + LiC^Wiit) - Ly(t) + B h t x(t), 
n(t) = Mwi(t) - Hy(t), 

where Li is the injection matrix associated with the condi- 
tioned invariant subspace generated by B\Fi, with (Ef,Ai + 
LiCt) Hurwitz, and x(t) is the state transmitted to i by its 
neighbors. Notice that, in the absence of attacks in the regions 
Mf, we have B\x(t) = B\x(t). Finally, let the matrices 
M and H in |25]l be chosen so that the input B\Fifi(t) 
does not affect the residual rj(i)j^] Consider the filter error 
ei(t) = Wi(t) — Xi(t), and notice that 

EMt) = (A, + LiCi)ei{t) + B\{x{t) - x(t)) - B K .u Ki (t) 
-EftFiMt), (30) 
n(t) = Mei(t), 

2 For nonsingular systems without feedthrough matrix, Ti is as small as the 
largest (Aj, ffl )-cont rolled invariant subspace contained in Ker(Ci) [32]. 



(S3: cooperative residual analysis) We next state a key result 
for our distributed identification procedure. 

Lemma 4.6: (Characterization of nonzero residuals) Let 
each control center implement the distributed identification 
filter with i0j(Q) = scj(0). Assume that the attack K 
affects only the i-th subsystem, that is K = Ki. Assume 
that (Fj, Ai, [B\Fi B Ki ],Ci) and (F l; A,, B\, d) have no 
invariant zeros. Then, 

(i) 7"j(t) ^ at some time t, and 

(ii) either r.j(t) = for all j £ Af° at at all times t, or 
r 3 (t) 7^ for all j <E N° M at some time t. 

Proof: Notice that the estimation computed by a control 
center is correct provided that its area is not under attack. In 
other words, since K = Ki, we have that B\x(t) — B\x(t) 
in (30) . Since (Fj, Ai, [B^Fi B^.], Cj) has no invariant zeros, 
statement (i) follows. In order to prove statement (ii), consider 
the following two cases: the i-th control center provides the 
correct estimation Xi(t) = Xi(t) or an incorrect estimation 
£i(t) Xi(t). For instance, if Im(Bxi) (= ^(B^), that is, 
the attack set Ki lies on the boundary of the i-th area, then 
Xi(t) = Xi(t). Notice that, if £i(t) = Xi(t), then each residual 
rj{t), j i, is identically zero since the associated residual 
dynamics ([30]) evolve as an autonomous system without inputs. 
Suppose now that x^t) ^ Xi(t). Notice that B^Fif^t) + 
B\{x{t) - x{t)) e Im(F^). Then, since (F i; Ai, B\, C-) has 
no invariant zeros, each residual rj(t) is nonzero for some t. 



See Section IV-B for a detailed construction of this type of filter. 



As a consequence of Lemma 4.6 the region under attack can 
be identified through a distributed procedure. Indeed, the i-th 
area is safe if either of the following two criteria is satisfied: 
(CI) the associated residual Ti(t) is identically zero, or 
(C2) the neighboring areas j 6 Af° ut feature both zero and 

nonzero residuals rj(t). 
Consider now the case of several simultaneously corrupted 
subsystems. Then, if the graphical distance between any two 
corrupted areas is at least 2, that is, if there are at least two 
uncorrupted areas between any two corrupted areas, corrupted 
areas can be identified via our distributed method and criteria 
(CI) and (C2). An upper bound on the maximum number of 
identifiable concurrent corrupted areas can consequently be 
derived (see the related set packing problem in ||30l ). 
(S4: local identification) Once the corrupted regions have 
been identified, the identification method in Section |lV]is used 
to identify the local attack set. 

Lemma 4.7: (Local identification) Consider the decoupled 
system ( |28| ). Assume that the i-th region is under the attack 
Ki whereas the neighboring regions A^ out are uncorrupted. 
Assume that each control center j € Ml" transmits the estimate 
Xj (t) and the uncertainty subspace F{ to the i-th control center. 
Then, the attack set Ki is identifiable by the i-th control center 
if (Ei,Ai, [B}Fi B Ki B Ri ],d, [D Ki D Ri ]) has no invariant 
zeros for any attack set Ri, with < \Ki\. 

Proof: Notice that each control center j, with j ^ i, 
can correctly estimate the state Xj(t) modulo Fj. Since 
this estimation is transmitted to the i-th control center, the 
statement follows from (T| Theorem 3.4]. ■ 

The final identification procedure (S4) is implemented 
only on the corrupted regions. Consequently, the combinato- 
rial complexity of our distributed identification procedure is 
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Subsystem 1 





Fig. 6. This figure shows a network composed of two subsystems. A control 
center is assigned to each subsystem. Each control center knows only the dy- 
namics of its local subsystem. The state of the blue nodes {2, 5, 7, 12, 13, 15} 
is continuously measured by the corresponding control center, and the state 
of the red node {3} is corrupted b y an a ttacker. The decoupled identification 
procedure presented in Subsection |IV-C| f'ails at detecting the attack. Instead, 
by means of our cooperative identification procedure, the attack can be 
detected and identified via distributed computation. 



2~2i=i ("ikM*)' w h ere ^ is the number of corrupted regions. 
Hence, the distributed identification procedure greatly reduces 
the combinatorial complexity of the centralized procedure pre- 
sented in Subsection |IV-B| which requires the imple menta tion 



of filters. Finally, the assumptions of Lemma 



4.6 



Lemma 4.7 clearly improve upon the limitations (E73) 



and 
and 

(L4) of the naive decoupled approach presented in Subsection 



IV-C We conclude this section with an example showing that, 
contrary to the limitation (L5) of the naive fully decoupled 
approach, boundary attacks Ki C K\ can be identified by our 
cooperative attack identification method. 

Example 2: (An example of cooperative identification) 
Consider the sensor network in Fig. [6] where the state of 
the blue nodes {2, 5, 7, 12, 13, 15} is measured and the state 
of the red node {3} is corrupted by an attacker. Assume 
that the network evolves according to nonsingular, linear, 
time-invariant dynamics. Assume further that the network has 
been partitioned into the two areas V\ = {1,...,8} and 
Vi = {9, . . . , 16} and at most one area is under attack. Since 
{3, 4} are the boundary nodes for the first area, the attack set 
K = 3 is neither detectable nor identifiable by the two control 



centers via the fully decoupled procedure in Section IV-C 

Consider now the second subsystem with the boundary 
nodes K\ = {9, 10}. It can be shown that, generically, 
the second subsystem with unknown input B\f2{t) has no 
invariant zeros; see 0] Section V]. Hence, the state of the 
second subsystem can be entirely reconstructed. Analogously, 
since the attack is on the boundary of the first subsystem, the 
state of the first subsystem can be reconstructed, so that the 



residual r2{t) is identically zero; see Lemma 4.6 

Suppose that the state of the second subsystem is continu- 
ously transmitted to the control center of the first subsystem. 
Then, the only unknown input in the first subsystem is due to 
the attack, which is now generically detectable and identifiable, 




Fig. 7. This figure illustrates the IEEE RTS96 power network [35]. The 
dynamics of the generators {101, 102} are affected by an attacker. 
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Fig. 8. In this figure we report our simulation results for the case of 
linear network dynamics without noi se and for the proposed detection monitor 
j2| and identification monitor {25}, respectively. The state trajectory x(i) 
consists of the generators angles and frequencies. The detection residual r(t) 
becomes nonzero after time 15s, and it reveals the presence of the attack. 
The identification residual rjf (t) is identically zero even after time 15s, and 
it reveals that the attack set is K = {101, 102}. The identification residual 
Tn(t) is nonzero after time 15s, and it reveals that R is not the attack set. 



since the associated system has no invariant zeros; see Lemma 
|4.7| We conclude that our cooperative identification procedure 

□ 



outperforms the decoupled counterpart in Section IV-C 



V. A CASE STUDY: THE IEEE RTS96 SYSTEM 

In this section we apply our centralized attack detection 
and identification methods to the IEEE RTS96 power network 
||35ll illustrated in Fig. [7] In particular, we first consider the 
nominal case, in which the power network dynamics evolve as 
nominal linear time-invariant descriptor system, as described 
in [I] Section II. C]. Second, we consider the case of additive 
state and measurement noise, and we show the robustness 
of the attack detection and identification monitors. Third, we 
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Fig. 9. In this figure we report our simulation results for the case of linear 
network dynamics driven by state and measurements noise. For this case, 
we choose the output injection matrices of the detection and identification 
filters as the corresponding optimal Kalman gain (see Remark [T] and Remark 
[51. Due to the presence of noise, the residuals deviate from their nominal 
behavior reported in Fig. [8] Although the attack is clearly still detectable and 
identifiable, additional statistical tools such as hypothesis testing [23] may be 
adopted to analyze the residuals r(t), tk (*)> and r n{t)- 



consider the case of nonlinear differential-algebraic power 
network dynamics and show the effectiveness of our methods 
in the presence of unmodeled nonlinear dynamics. 

For our numerical studies, we assume the angles and fre- 
quencies of every generator to be measured. Additionally, we 
let the attacker affect the angles of the generators {101, 102} 
with a random signal starting from time 15s. Since the 
considered power network dynamics are of index one, the 
filters are implemented using the nonsingular Kron-reduced 
system representation H] Section III.D]. The results of our 
simulations are in Fig. [8] Fig. [9] and Fig. 10 In conclusion, our 
centralized detection and identification filters appears robust to 
state and measurements noise and unmodeled dynamics. 



VI. Conclusion 

For cyber-physical systems modeled by linear time-invariant 
descriptor systems, we proposed attack detection and identifi- 
cation monitors. In particular, for the detection problem we 
developed both centralized and distributed monitors. These 
monitors are optimal, in the sense that they detect every 
detectable attack. For the attack identification problem, we 
developed an optimal centralized monitor and a sub-optimal 
distributed method. Our centralized attack identification mon- 
itor relies upon a combinatorial machinery. Our distributed 
attack identification monitor, instead, is computationally ef- 
ficient and achieves guaranteed identification of a class of 
attacks, which we characterize. Finally, we provided several 
examples to show the effectiveness and the robustness of our 
methods against uncertainties and unmodeled dynamics. 

APPENDIX 

In this section we present an algebraic technique to recon- 
struct the state of a descriptor system. Our method builds upon 



Fig. 10. In this figure we report our simulation results for the case of 
nonlinear network dynamics without noise. For this case, the detection and 
identification filters are designed for the nominal linearized dynamics with 
output injection matrices as the corresponding optimal Kalman gain (see 
Remark [T] and Remark |3J. Despite the presence of unmodeled nonlinear 
dynamics, the residuals reflect their nominal behavior reported in Fig. [8] 



the results presented in (T7). Consider the descriptor model ([T| 
written in the form (see [ 1 , Section IV.C]) 



±x(t) = A lt xx(t) + A 12 x 2 {t) + Btu(t) . 
= A 21 x 1 {t) + A 2 2x 2 {t) + B 2 u(t) . 
y(t) = Ciari(t) + C 2 x 2 (t) + Du(t) . 



(A-l) 



We aim at characterizing the largest subspace of the state space 
of jA-l\ that can be reconstructed through the measurements 
y(t). Consider the associated nonsingular system 



£i(t) = A llXl (t) + Bxu(t) + A 12 x 2 (t), 



(A-2) 



m = 



A 21 
C x 



ii(t) 



-422 

C 2 



B 2 
D 



x 2 {t) 
«(*) 



Recall from J32] Section 4] that the state of the system ( |A-2[ ) 
can be reconstructed modulo its largest controlled invariant 
subspace contained in the null space of the output matrix. 

Lemma 6.1: (Reconstruction of the state Xx(t)) Let be 
the largest controlled invariant subspace of the system ( |A-2| i. 
The state x\(t) of the system \A-\\ can be reconstructed only 
modulo V{ through the measurements y(t). 

Proof: We start by showing that for every xi(0) E V* 
there exist x 2 (t) and u(t) such that y(t) is identically zero. 
Due to the linearity of ( |A-l| i, we conclude that the projection 
of xi (t) onto VI cannot be reconstructed. Notice that for every 
^i(O), x 2 (t), and u(t) yielding y\(t) = at all times, the state 
trajectory [xi(t) x 2 (t)] is a solution to ( | A- 1 1 > with input u{t) = 
u(t) and output y(t) = y 2 (t). Since for every Si(O) € V*, 
there exists ^2^) an d u(t) such that y(t) is identically zero, we 
conclude that every state Xx(0) € V* cannot be reconstructed. 

We now show that the state Xx(t) can be reconstructed 
modulo V*. Let xi(0) be orthogonal to V*, and let Xx(t), 



x 2 (t), and y(t) be the solution to < | A- 1 ] > subject to the input 
u(t). Notice that Xl (t) = Xx{t), yx{t) = 0, and y 2 (t) = y(t) 
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is the solution to ( |A-2[ ) with inputs x 2 (t) = and 
u(t) = u(t). Since Xi(0) is orthogonal to V*, we conclude 
that x±(0) = xi(0), and in fact the subspace (V*)' 1 , can be 
reconstructed through the measurements 2/2 (£) = vif)- ■ 

In Lemma [oTT] we show that the state X\(t) of ( |A-1| > can be 
reconstructed modulo Vf. We now show that the state x^if) 
can generally not be completely reconstructed. 

Lemma 6.2: (Reconstruction of the state x 2 (t)) Let VI = 
Im(Vi) be the largest controlled invariant subspace of the 
system ( |A-2| i. The state Xa(t) of the system ( jA-l| > can be 
reconstructed only modulo V 2 = A^ 2 Im([v4 2 i V\ B 2 \). 

Proof: Let Xi(t) = 5ii(t) +x 1 (t), where € V{ and 

is orthogonal to V*. From Lemma [oTTj the signal X\{t) 
can be entirely reconstructed via y(t). Notice that 

= A 2lXl (t) + A 22 x 2 (t) + B 2 u(t), 
= A 21 Vivi(t) + A 2lXl {t) + A 22 x 2 (t) + B 2 u(t). 

Let W be such that Ker(W) = Im([A 2 iVi B 2 \). Then, 
= WA 21 xi(t) + WA 22 x 2 (t), and hence x 2 (t) = x 2 (t) + 
x 2 (t), where x 2 (t) = (W A 22 )^W A 2lXl {t), and x 2 (t) e 
Ker(WA 22 ) = A~^ Im([A 2 iFi S 2 ]). The statement follows. 

■ 

To conclude the paper, we remark the following points. 
First, our characterization of V* and V 2 is equivalent to the 
definition of weakly unobservable subspace in |[T8l . and of 
maximal output-nulling subspace in ll33l . Hence, we proposed 
an optimal state estimator for our distributed attack identifi- 
cation procedure, and the matrix Vt in (SI: estimation and 
communication) can be computed as in fl8l . Il33ll . Second, a 
reconstruction of xi(t) modulo and x 2 {t) modulo V 2 can 
be obtained through standard algebraic techniques ll32l . Third 
and finally, Lemma [6T| and Lemma [672] extend the results in 
ifTTl by characterizing the subspaces of the state space that 
can be reconstructed with an algebraic method by processing 
the measurements y(t) and their derivatives. 
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